-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a -V, --scan-vss-backups
option to General Options
#1299
Comments
Is it correct to say that this function is available only on Windows because it uses Windows API commands? It is unclear from where to what point hayabusa should respond. I think it is too much to ask Hayabusa to do everything from vssadmin list shadow, which requires administrator privileges, but how about supporting it with another script? |
Yes, this functionality would only be possible if the user specifies It does require some COM programming and may be different for Win 7 versus more recent versions of Windows. So would probably be easier just to call |
Thank you so much for mention :) Sounds interesting! |
20240411 MTG memo:
|
@fukusuket I think I found a better way to do this than COM. We can query the information through WMI!
This crate can query WMI and thankfully seems to be maintained: https://github.com/ohadravid/wmi-rs |
Sounds good! I'll try it💪 |
@fukusuket Great! Thanks! |
I tried following code(with use std::collections::HashMap;
use wmi::{COMLibrary, Variant, WMIConnection};
fn main() -> Result<(), Box<dyn std::error::Error>> {
let com_con = COMLibrary::new()?;
let wmi_con = WMIConnection::new(com_con.into())?;
let query = "SELECT * FROM Win32_ShadowCopy";
let results: Vec<HashMap<String, Variant>> = wmi_con.raw_query(query)?;
let volumes: Vec<_> = results
.iter()
.filter_map(|map| map.get("VolumeName"))
.collect();
println!("{:?}", volumes);
Ok(())
} then got following expected result👍
The above results match the vssadmin results.
|
The expected detection results were obtained as shown below. -l option
volume shadow
|
I think the following specifications. What do you think?
If I have misunderstood the specifications, please let me know!🙏 |
I have one more question! |
Yes, this is only possible with live analysis so we should require this.
Yes!
There can be multiple volume shadows so I would like to scan them all. Note: There will probably be many duplicate events so users should probably also specify
I was only thinking about It would also be nice to see what volumes were found and their creation date. Before:
After
or
I am guessing that extracting this information should be done before creating the channel filter but if there is a better place/time to do it then please change it to where ever you think is good. |
--scan-vss-backups
option to General Options
-V, --scan-vss-backups
option to General Options
@YamatoSecurity
I tried シャドウ コピー ID , but I couldn't scan it with hayabusa ... :( ( |
@fukusuket Ah, that is my mistake. I was using the original volume ID of the C: thinking it was the snapshot. It doesn't work for me directly on the command line. Only if the C: volume ID is used. I think we can do this by mounting the snapshot to a folder. (I don't want to add another volume to mount if possible).
seems to work... however, unfortunately it gives these errors:
When I tried to open the backed up If i copy out the files to a different directory then it works but trying to make copies of all the evtx files for live analysis is not ideal as evidence may be overwritten.. When i just Could you check the code to see if Hayabusa is explicitly trying to open the .evtx files in read-only mode? |
The file is opened at the following code, but it is Read Only. Also, in my environment, when I opened mounted folder's evtx in Event Viewer after |
I tried wevtutil command then following result😢
|
@fukusuket Humm.. if you copy the file to a different directory and then scan it, does it work? |
@YamatoSecurity |
I got to work with copying with
Can you test if it works with copying with robocopy? |
Memo: I can run Hayabusa against the volume shadow backup with |
@YamatoSecurity -l option
copy byexplorer
copy by robocopy
|
According to the following article, the However, from the verification results in the above article, it seems that there is a possibility that vss can be used on Server OS without corruption🤔 |
Although verification is required, if vss can be read without corruption on Server OS, one option is to implement it as a feature supported only on Server OS🤔 |
@fukusuket That's a good article you found! Even if we can only use it on server OSes, that still would be a good feature.. |
I also think it would be great if support could be provided even if it is only for Server OS :)
Concern is, 🤔
|
There are several options(Each has its pros and cons), which one do you think is better?
IMHO, I think it would be good to start with documentation above(Hoping to find better means of realization during writing document and research ... 😇) |
@fukusuket I think we can run against backup logs without making a link like this. I think we should go with number 1 and implement in Hayabusa. If it doesn't work for some reason due to a difference environment then hopefully someone will create an issue and we can go from there. |
Sorry, I missed the above comment. I see!
|
@fukusuket Since this is not necessarily dependent on whether it is a server OS, I think we should leave out the server check. That is, some people may be using Hayabusa on Windows 7, also some people may change the registry settings to get proper backups on Windows 8/10/11. We should though print some warning message that this feature may not work depending on the setting. I will think about what message we should tell the user. |
@fukusuket I found just twos articles (from the same person) talking about this in English: https://dfir.ru/2020/02/29/scoped-shadow-copies/ One thing to watch out for is that To determine whether a Windows system may have usable VSS backups, we probably should check the registry key Also, for server OSes, |
JFYI: these articles are from different authors. (In fact, these are independent discoveries.) |
@msuhanov Sorry I forgot to post the second link. I meant the same author for these two articles: https://dfir.ru/2020/02/29/scoped-shadow-copies/ and https://dfir.ru/2019/07/29/things-you-probably-didnt-know-about-shadow-copies/ |
So some weird things going on... However, I still get the read errors and no detections. This is after setting the registry to turn off ScopeSnapshots, rebooting and creating new snapshots... It does work if I copy the evtx files out to a different directory though... |
Old
.evtx
logs may be found in the Volume Shadow Copy Service backups so it would be nice to have a--scan-vss-backups
option that is used when Hayabusa is doing a live analysis with-l
in order to obtain older logs. Since there will usually be duplicate logs it would usually be used with the-X, --remove-duplicate-detections
option or after creating results with--low-memory-mode
, have the duplicate events deleted withsort-csv
.Ideally it would be best to list out the shadow copy backups with native Windows API calls but I don't think there is any easy way to do that so it will probably be easier at first to use built in Windows commands and parse the results.
To list out VSS backups we can use the command
vssadmin list shadows /for=c:
which will give a list ofShadow Copy Volume
which will look like\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
It is then possible to mount by creating a link to it with
mklink /d D:\shadowtest \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
However, when I run Hayabusa against
D:\shadowtest\Windows\System32\winevt\Logs\
it gives me the following error:Trying to run
hayabusa.exe csv-timeline -d \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\winevt\Logs\
also gives the same error.However,
vssadmin list shadows
also gives Volume information in theOriginal Volume
field. It looks like(C:)\\?\Volume{2223423-aae8-823d-8dafdadf9j3e3}\
When I run
hayabusa.exe csv-timeline -d \\?\Volume{2223423-aae8-823d-8dafdadf9j3e3}\Windows\System32\winevt\Logs\
using the Volume ID instead, Hayabusa succeeds in scanning the VSS backups.So we just need a way to find the original volume names with
vssadmin list shadows
, parse the output and then have hayabusa add those directories when scanning.@fukusuket Are you interested in this issue? I think this month you will be busy preparing with BSides, etc.. so no need to rush. It can be added for v2.15.0, etc...
The text was updated successfully, but these errors were encountered: